Bump the npm_and_yarn group across 2 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@sveltejs/kit	2.22.5	2.52.2
vite	5.4.19	5.4.21
esbuild	0.21.5	0.27.3
playwright	1.45.2	1.58.2
tar	7.4.0	7.5.9

Bumps the npm_and_yarn group with 2 updates in the /tiles directory: esbuild and wrangler.

Updates @sveltejs/kit from 2.22.5 to 2.52.2

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

@​sveltejs/kit@​2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

@​sveltejs/kit@​2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

  Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

  • from.scroll: The scroll position at the moment navigation was triggered
  • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

  This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

• feat: hydratable's injected script now works with CSP (#15048)

Patch Changes

• fix: put preloads before styles (#15232)

• fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#15269)

• fix: fetch not working when URL is same host but different than paths.base (#15291)

• fix: navigate to hash link when base element is present (#15236)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

2.52.1

Patch Changes

• fix: clear stale preflight issues on subsequent valid form submissions (#15281)

• chore: remove dependency on sade (#15272)

• fix: include .txt files in precompression (#15259)

• fix: escape backticks and dollar signs when creating inlined css (#15320)

• fix: increment form.pending count before preflight validation (#15279)

2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

... (truncated)

Commits

• 9c4a737 Version Packages (#15338)
• 3e607b3 Merge commit from fork
• 62991c8 chore: upgrade devalue and svelte (#15339)
• f47c01b Merge commit from fork
• 6f69ded Version Packages (#15321)
• e87efba fix: clear stale preflight issues on subsequent valid form submissions (#15281)
• 4f367d5 chore: fix Node 18 CI by changing .remote.js import to .remote.ts (#15331)
• 20dfadf fix: escape backticks and dollar signs before creating interpolated string (#...
• 8c2384a fix: increment form.pending count before preflight validation (#15279)
• 71ddbc7 chore: remove dependency on sade (#15272)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​sveltejs/kit since your current version.

Updates vite from 5.4.19 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• See full diff in compare view

Updates devalue from 5.1.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates esbuild from 0.21.5 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 9129e00 publish 0.27.3 to npm
• e20e411 small fix to release notes
• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates playwright from 1.45.2 to 1.58.2

Release notes

Sourced from playwright's releases.

v1.58.2

Highlights

#39121 fix(trace viewer): make paths via stdin work #39129 fix: do not force swiftshader on chromium mac

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.1

Highlights

#39036 fix(msedge): fix local network permissions #39037 chore: update cft download location #38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

📣 Playwright CLI+SKILLs 📣

We are adding a new token-efficient CLI mode of operation to Playwright with the skills located at playwright-cli. This brings the long-awaited official SKILL-focused CLI mode to our story and makes it more coding agent-friendly.

It is the first snapshot with the essential command set (which is already larger than the original MCP!), but we expect it to grow rapidly. Unlike the token use, that one we expect to go down since snapshots are no longer forced into the LLM!

Timeline

If you're using merged reports, the HTML report Speedboard tab now shows the Timeline:

UI Mode and Trace Viewer Improvements

• New 'system' theme option follows your OS dark/light mode preference
• Search functionality (Cmd/Ctrl+F) is now available in code editors
• Network details panel has been reorganized for better usability
• JSON responses are now automatically formatted for readability

Thanks to @​cpAdm for contributing these improvements!

Miscellaneous

browserType.connectOverCDP() now accepts an isLocal option. When set to true, it tells Playwright that it runs on the same host as the CDP server, enabling file system optimizations.

Breaking Changes ⚠️

• Removed _react and _vue selectors. See locators guide for alternatives.

... (truncated)

Commits

• ce480a9 cherry-pick(#39171): devops: add ubuntu-22.04-arm bot
• e40c137 chore: mark v1.58.2 (#39155)
• 50b7296 cherry-pick(#39152): chore: fix execSync inheriting stdio
• f3dcf50 cherry-pick(#39129): fix: do not force swiftshader on chromium mac
• 8684e08 cherry-pick(#39121): fix(trace viewer): make paths via stdin work
• 97bc385 cherry-pick(#38995): chore(webkit): disable frame sessions on fronzen builds
• ad625fe chore: mark v1.58.1 (#39055)
• f07234d cherry-pick(#39036): fix(msedge): fix local network permissions (#39053)
• ab8136c cherry-pick(#39037): chore: update cft download location (#39052)
• aa6ffeb cherry-pick(#39014): docs: add 1.58 release notes for Java, Python, and C#
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for playwright since your current version.

Updates tar from 7.4.0 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates esbuild from 0.17.19 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 9129e00 publish 0.27.3 to npm
• e20e411 small fix to release notes
• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates wrangler from 3.73.0 to 4.67.0

Release notes

Sourced from wrangler's releases.

wrangler@4.67.0

Minor Changes

• #12401 8723684 Thanks @​jonesphillip! - Add validation retry loops to pipelines setup command

  The wrangler pipelines setup command now prompts users to retry when validation errors occur, instead of failing the entire setup process. This includes:

  • Validation retry prompts for pipeline names, bucket names, and field names
  • A "simple" mode for sink configuration that uses sensible defaults
  • Automatic bucket creation when buckets don't exist
  • Automatic Data Catalog enablement when not already active

  This improves the setup experience by allowing users to correct mistakes without restarting the entire configuration flow.

• #12395 aa82c2b Thanks @​cmackenzie1! - Generate typed pipeline bindings from stream schemas

  When running wrangler types, pipeline bindings now generate TypeScript types based on the stream's schema definition. This gives you full autocomplete and type checking when sending data to your pipelines.

  // wrangler.json
  {
  	"pipelines": [
  		{ "binding": "ANALYTICS", "pipeline": "analytics-stream-id" },
  	],
  }

  If your stream has a schema with fields like user_id (string) and event_count (int32), the generated types will be:

  declare namespace Cloudflare {
  	type AnalyticsStreamRecord = { user_id: string; event_count: number };
  	interface Env {
  		ANALYTICS: Pipeline<Cloudflare.AnalyticsStreamRecord>;
  	}
  }

  For unstructured streams or when not authenticated, bindings fall back to the generic Pipeline<PipelineRecord> type.

Patch Changes

• #12592 aaa7200 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260217.0	1.20260218.0

... (truncated)

Commits

• 88705ad Version Packages (#12580)
• ca58062 [wrangler] Stop redacting account names in non-interactive mode (#12598)
• e2a6600 fix: pass --env flag to auxiliary workers in multi-worker mode (#12604)
• 2f19a40 chore(deps): bump the workerd-and-workers-types group with 2 updates (#12606)
• 8723684 Improve pipelines setup command with validation retry loops (#12401)
• 0b17117 improve: bump up maximum allowed value for Queue delivery and retry delay to ...
• aa82c2b Generate typed pipeline bindings from stream schemas (#12395)
• b7841db Migrate tests from unstable_dev() to unstable_startWorker() (#12053)
• 5f9f0b4 feat(unenv-preset): add support for native node:readline module (#11734)
• aaa7200 chore(deps): bump the workerd-and-workers-types group with 2 updates (#12592)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wrangler since your current version.

Updates wrangler from 3.73.0 to 4.67.0

Release notes

Sourced from wrangler's releases.

wrangler@4.67.0

Minor Changes

• #12401 8723684 Thanks @​jonesphillip! - Add validation retry loops to pipelines setup command

  The wrangler pipelines setup command now prompts users to retry when validation errors occur, instead of failing the entire setup process. This includes:

  • Validation retry prompts for pipeline names, bucket names, and field names
  • A "simple" mode for sink configuration that uses sensible defaults
  • Automatic bucket creation when buckets don't exist
  • Automatic Data Catalog enablement when not already active

  This improves the setup experience by allowing users to correct mistakes without restarting the entire configuration flow.

• #12395 aa82c2b Thanks @​cmackenzie1! - Generate typed pipeline bindings from stream schemas

  When running wrangler types, pipeline bindings now generate TypeScript types based on the stream's schema definition. This gives you full autocomplete and type checking when sending data to your pipelines.

  // wrangler.json
  {
  	"pipelines": [
  		{ "binding": "ANALYTICS", "pipeline": "analytics-stream-id" },
  	],
  }

  If your stream has a schema with fields like user_id (string) and event_count (int32), the generated types will be:

  declare namespace Cloudflare {
  	type AnalyticsStreamRecord = { user_id: string; event_count: number };
  	interface Env {
  		ANALYTICS: Pipeline<Cloudflare.AnalyticsStreamRecord>;
  	}
  }

  For unstructured streams or when not authenticated, bindings fall back to the generic Pipeline<PipelineRecord> type.

Patch Changes

• #12592 aaa7200 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260217.0	1.20260218.0

... (truncated)

Commits

• 88705ad Version Packages (#12580)
• ca58062 [wrangler] Stop redacting account names in non-interactive mode (#12598)
• e2a6600 fix: pass --env flag to auxiliary workers in multi-worker mode (#12604)
• 2f19a40 chore(deps): bump the workerd-and-workers-types group with 2 updates (#12606)
• 8723684 Improve pipelines setup command with validation retry loops (#12401)
• 0b17117 improve: bump up maximum allowed value for Queue delivery and retry delay to ...
• aa82c2b Generate typed pipeline bindings from stream schemas (#12395)
• b7841db Migrate tests from unstable_dev() to unstable_startWorker() (#12053)
• 5f9f0b4 feat(unenv-preset): add support for native node:readline module (#11734)
• aaa7200 chore(deps): bump the workerd-and-workers-types group with 2 updates (#12592)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wrangler since your current version.

Updates undici from 5.28.4 to 7.18.2

Release notes

Sourced from undici's releases.

v7.18.2

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

What's Changed

• fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @​mcollina in nodejs/undici#4729

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

What's Changed

• Test and Fix running without SSL by @​mcollina in nodejs/undici#4727
• docs: add security warning for strictContentLength option by @​mcollina in nodejs/undici#4726
• build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 by @​dependabot[bot] in nodejs/undici#4718
• build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in nodejs/undici#4719

Full Changelog: nodejs/undici@v7.18.0...v7.18.1

v7.18.0

What's Changed

Full Changelog: nodejs/undici@v7.17.0...v7.18.0

v7.17.0

What's Changed

• chore: extract infra and encoding methods by @​Uzlopak in nodejs/undici#4523
• ci: remove h2 by @​Uzlopak in nodejs/undici#4534
• ci: make nodejs-shared wf reusable, install binaryen for wasm-opt, test on node-nightly by @​Uzlopak in nodejs/undici#4535
• ci: fix nightly shared library case by @​Uzlopak in nodejs/undici#4543
• test: consume bodies of fetch responses to fix failing macos 20 ci by @​Uzlopak in nodejs/undici#4528
• docs: add Cache Interceptor example to README by @​tawseefnabi in nodejs/undici#4393
• test: remove node20 version check by @​Uzlopak in nodejs/undici#4544
• types: use MessagePort instance type in MessageEvent by @​Renegade334 in nodejs/undici#4546
• ci: set write permissions on job level by @​Uzlopak in nodejs/undici#4537
• lint: activate n/no-process-exit by @​Uzlopak in nodejs/undici#4548
• ci: run benchmarks on pull_requests and by pushing on specific branches only by @​Uzlopak in nodejs/undici#4536
• chore: activate n/prefer-node-protocol to enforce 'node:' prefix for requiring node built-ins by @​Uzlopak in nodejs/undici#4547
• feat(H2): correct CONNECT behaviour by @​metcoder95 in nodejs/undici#4541
• test: fix plans by @​Uzlopak in nodejs/undici#4550
• feat: add runtime feature "detection" by @​Uzlopak in nodejs/undici#4545
• perf: use less promises in extractBody by @​Uzlopak in nodejs/undici#4458
• fix(proxy-agent): add missing return after callback-call by @​Uzlopak in nodejs/undici#4553
• fix: remove redundant line in retry-handler by @​Uzlopak in nodejs/undici#4554
• ci: add no-wasm-simd option by @​Uzlopak in nodejs/undici#4533
• fix: use lazyloaders for runtime feature detection by @​Uzlopak in nodejs/undici#4557
• fix: minor changes in dispatcher-base.js and types for Dispatcher by @​Uzlopak in nodejs/undici#4556

...

Description has been truncated

[netlify]

❌ Deploy Preview for qtmmirror failed.

Name	Link
🔨 Latest commit	4756f19
🔍 Latest deploy log	https://app.netlify.com/projects/qtmmirror/deploys/699719a437887b00081f43ec